Third-Party Risk Management – The New Elephant in the Room

The era of globalisation has added a new complexity to supply chains. Already intricate vendor and distributor networks have become even more labyrinthine. The drive to increase efficiency has also necessitated a move towards a greater concentration on core competencies – with many ancillary business activities assigned to third party vendors and solution providers.

All this has undoubtedly led to improved profitability, in addition to increased valuations. It has also, however, exposed businesses to an ever-increasing third party risk. Consider for example, a global electronics corporation which outsources manufacturing to a vendor in Asia. It is obvious that the company would have strict guidelines in place to ensure that the vendor follows not only regulatory but ethical best-practices as well. However, this gets more complex as more and more vendors or distributors are included. With hundreds or perhaps even thousands of vendors, it becomes increasingly difficult to effectively monitor all of them. Moreover, in the digital age, the reputational damage which may result from the actions of an errant vendor can be extremely high (as one would expect).

With these challenges in mind, third-party risk management, or TPRM, is gaining increasing importance. The risk management process involves identification, assessment, mitigation of third party risks, as well as responses to adverse situations.

The third-party risk management process

A good TPRM plan requires the creation of a framework that assesses the current situation and then puts robust policies and procedures in place. This is followed by the actual implementation with the relevant IT infrastructure and resource training and most importantly – continuous monitoring and assessment.

The basic framework requires comprehensively capturing all relevant public and verifiable information about a potential vendor. While on boarding a third party vendor, checks relating to past legal actions, regulatory violations, adverse media reports etc. are performed, along with a thorough vetting of the main stakeholders. For larger vendors, it might even be optimal to hire a professional auditor in order to gather all relevant information. This information is not only related to the company’s past history, as stated above, but it also assesses the strength of their governance standards as well environmental and social policies which are good predictors of any possible future trouble.

Some companies use databases that are specifically maintained by professional auditing firms which can help them identify any red flags. There are also computer programmes or bots that scan the internet in real time for adverse news related to certain companies or groups of people and can throw up an alert when something specific occurs.

The future

It is clear to any observer that corporate inter-dependability will only increase in the coming years. As companies take on more and more third party risk by continuously increasing the number of direct relationships, the need for better tools to effectively scrutinise them will likewise increase. Greater regulation and increased active public participation additionally will mean that companies have far less leeway in dealing with potential risks. Given all of this, it is very likely that artificial intelligence tools will play a major role in effective TPRM frameworks. These tools can be deployed both to preemptively assess potential risks as well as to reactively raise the alarm in light of a developing situation. Having delivered sufficient functionality in deployment, it is likely the development of such tools will be well worth the costs.